Policy about network-listening daemons running as root?

Daniel J Walsh dwalsh at redhat.com
Tue May 22 16:52:43 UTC 2007


Hans de Goede wrote:
> Konstantin Ryabitsev wrote:
>> Hi, all:
>>
>> Do we have a policy about network-listening daemons not running as
>> root? Not according to my perusal of fedoraproject.org, but I wanted
>> to verify in case it's one of the "unwritten rules."
>>
>
> This clearly falls under the unwritten use your common sense rule. IOW 
> no daemon / service should run as root unless it absolutely must, and 
> when not running as root it should have its own user, not use a system 
> user shared with other daemons.
>
> Regards,
If it runs as root, it should drop capabilities that it does not need, 
and it should have an SELinux policy to confine it.  Of course if it 
runs as non-root, it should have an SELinux policy to confine it.

These are shoulds not musts.
>
> Hans
>
> -- 
> Fedora-maintainers mailing list
> Fedora-maintainers at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-maintainers




More information about the Fedora-maintainers mailing list